b"                              SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n                   UNITED STATES DEPARTMENT OF STATE\n               AND THE BROADCASTING BOARD OF GOVERNORS\n                               OFFICE OF INSPECTOR GENERAL\n\n\nISP-I-13-38                                    Office of Inspections                                       July 2013\n\n\n\n\n               Inspection of the Bureau of\n           Information Resource Management,\n             Office of Information Assurance\n\n\n\n\nIMPORTANT NOTICE: This report is intended solely for the official use of the Department of State or the\nBroadcasting Board of Governors, or any agency or organization receiving a copy directly from the Office of\nInspector General. No secondary distribution may be made, in whole or in part, outside the Department of State or\nthe Broadcasting Board of Governors, by them or by other agencies of organizations, without prior authorization by\nthe Inspector General. Public availability of the document will be determined by the Inspector General under the\nU.S. Code, 5 U.S.C. 552. Improper disclosure of this report may result in criminal, civil, or administrative penalties.\n\n\n\n\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\n                    PURPOSE, SCOPE, AND METHODOLOGY\n                           OF THE INSPECTION\n\n        This inspection was conducted in accordance with the Quality Standards for Inspection\nand Evaluation, as issued in 2011 by the Council of the Inspectors General on Integrity and\nEfficiency, and the Inspector\xe2\x80\x99s Handbook, as issued by the Office of Inspector General for the\nU.S. Department of State (Department) and the Broadcasting Board of Governors (BBG).\n\nPURPOSE AND SCOPE\n\n       The Office of Inspections provides the Secretary of State, the Chairman of the BBG, and\nCongress with systematic and independent evaluations of the operations of the Department and\nthe BBG. Inspections cover three broad areas, consistent with Section 209 of the Foreign Service\nAct of 1980:\n\n   \xef\x82\xb7   Policy Implementation: whether policy goals and objectives are being effectively\n       achieved; whether U.S. interests are being accurately and effectively represented; and\n       whether all elements of an office or mission are being adequately coordinated.\n\n   \xef\x82\xb7   Resource Management: whether resources are being used and managed with maximum\n       efficiency, effectiveness, and economy and whether financial transactions and accounts\n       are properly conducted, maintained, and reported.\n\n   \xef\x82\xb7   Management Controls: whether the administration of activities and operations meets the\n       requirements of applicable laws and regulations; whether internal management controls\n       have been instituted to ensure quality of performance and reduce the likelihood of\n       mismanagement; whether instances of fraud, waste, or abuse exist; and whether adequate\n       steps for detection, correction, and prevention have been taken.\n\nMETHODOLOGY\n\nIn conducting this inspection, the inspectors: reviewed pertinent records; as appropriate, circulated,\nreviewed, and compiled the results of survey instruments; conducted on-site interviews; and\nreviewed the substance of the report and its findings and recommendations with offices,\nindividuals, organizations, and activities affected by this review.\n\n\n\n\n                                        i\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\n\n                                                        United States Department of State\n                                                        and the Broadcasting Board of Governors\n\n                                                        Office of Inspector General\n\n\n\n\n                                           PREFACE\n\n\n       This report was prepared by the Office of Inspector General (OIG) pursuant to the\nInspector General Act of 1978, as amended, and Section 209 of the Foreign Service Act of 1980,\nas amended. It is one of a series of audit, inspection, investigative, and special reports prepared\nby OIG periodically as part of its responsibility to promote effective management,\naccountability, and positive change in the Department of State and the Broadcasting Board of\nGovernors.\n\n        This report is the result of an assessment of the strengths and weaknesses of the office,\npost, or function under review. It is based on interviews with employees and officials of relevant\nagencies and institutions, direct observation, and a review of applicable documents.\n\n       The recommendations therein have been developed on the basis of the best knowledge\navailable to the OIG and, as appropriate, have been discussed in draft with those responsible for\nimplementation. It is my hope that these recommendations will result in more effective, efficient,\nand/or economical operations.\n\n       I express my appreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                              Harold W. Geisel\n                                              Deputy Inspector General\n\n\n\n\n                                       ii\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                        SENSITIVE BUT UNCLASSIFIED\n\n\n                                Table of Contents\nKey Judgments                                                  1\nContext                                                        2\nExecutive Direction                                            3\n  The Information Assurance Role in the Department of State    3\n  Management Direction and Leadership                          4\nProgram Implementation                                         7\n  Policy and Outreach                                          7\n  Information Systems Security Officer Program                 9\n  Certification and Accreditation Program                     10\n  iPost Development                                           15\n  Content Management                                          15\nResource Management                                           17\n  Budget and Funding                                          17\n  Contract Management                                         17\n  Inventory Management                                        22\n  Training                                                    22\n  Equal Employment Opportunity                                22\n  Performance Plans and Employee Appraisals                   23\n  Orientation for Incoming Personnel                          23\n  Physical Security                                           23\nList of Recommendations                                       25\nList of Informal Recommendations                              28\nPrincipal Officials                                           29\nAbbreviations                                                 30\n\n\n\n\n                                     iii\n                        SENSITIVE BUT UNCLASSIFIED\n\x0c                            SENSITIVE BUT UNCLASSIFIED\n\n\nKey Judgments\n    \xef\x82\xb7   The Bureau of Information Resource Management, Office of Information Assurance\n        (IRM/IA) was established to address the information security requirements outlined in\n        Title III of the E-Government Act of 2002. The office does not fulfill all those\n        requirements. The majority of the required functions are performed by Department of\n        State (Department) offices other than IRM/IA.\n\n    \xef\x82\xb7   The current workload of IRM/IA does not justify its organizational structure, resources,\n        or status as an IRM directorate.\n\n    \xef\x82\xb7   The mishandling of the certification and accreditation (C&A) process and contract by\n        IRM/IA, including development of tools and guidance and reviews of C&A packages has\n        contributed to expired authorizations to operate 52 of the Department\xe2\x80\x99s 309 systems.\n\n    \xef\x82\xb7   No single Department bureau has full responsibility for the information systems security\n        officer (ISSO) program. Both IRM and the Bureau of Diplomatic Security (DS) directly\n        or indirectly support the ISSO program, resulting in confusion among personnel on\n        requirements and guidance. The involvement of both bureaus also wastes personnel\n        resources.\n\n    \xef\x82\xb7   IRM/IA lacks adequate management controls and procedures to monitor its contracts,\n        task orders, and blanket purchase agreements, which have an approximate value of $79\n        million.\n\n    \xef\x82\xb7   IRM/IA has no mission statement and is not engaged in strategic planning.\n\n\nAll findings and recommendations in this report are based on conditions observed during the on-\nsite review and the standards and policies then in effect. The report does not comment at length\non areas where the Office of Inspector General (OIG) team did not identify problems that need to\nbe corrected.\n\nThe inspection took place in Washington, DC, between February 4 and March 22, 2013.\n[Redacted] (b) (6)\n                     conducted the inspection.\n\n\n\n\n                                         1\n                            SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\n\nContext\n        IA is one of three IRM directorates. IRM/IA, headed by the Department\xe2\x80\x99s chief\ninformation security officer (CISO), was created in August 2003 in response to requirements set\nforth in Title III of the E-Government Act of 2002 and the Federal Information Security\nManagement Act of 2002 (FISMA). The CISO is the Department\xe2\x80\x99s senior information security\nofficial as delineated in the legislation.\n\n        IRM/IA is responsible for the Department\xe2\x80\x99s cyber security program; information\nassurance policies, standards, and guidelines; and compliance with National Security directives.\nThe key programs of IRM/IA include cyber security management, which is comprised of policy\ndevelopment, risk management, systems authorizations, performance measures, and annual\nreporting for FISMA. IRM/IA collaborates with DS on information security responsibilities.\n\n        IRM/IA has three divisions. The System Authorization Division delivers information\nsecurity services to customers for C&A compliance and system monitoring and handles contract\nmanagement. The Global Oversight Division assists with the Department\xe2\x80\x99s ISSO program by\nsupporting domestic and overseas personnel in the performance of their responsibilities. The\nPolicy, Liaison, and Reporting Division provides information security policy and liaison support\nfor IRM/IA. This division also coordinates the annual FISMA submissions to the Office of\nManagement and Budget.\n\n        The role of IRM/IA in information security has evolved in response to advancements in\ntechnology and the introduction of new Federal legislation and directives. While the creation of\nthe office was prompted by FISMA, guidance and directives from the Federal Chief Information\nOffice Council, the Office of Management and Budget, and the National Institute of Standards\nand Technology help shape priorities and information security activities. The response of\nIRM/IA to these evolving requirements is critical to the Department\xe2\x80\x99s information security\nposture.\n\n        IRM/IA staff is comprised of 22 full-time employees and 36 contract employees, though\nthis number fluctuates as perceived needs change. Funding for IRM/IA activities is $5.9 million\nper year from FYs 2011\xe2\x80\x9313. The annual operating budget for IRM/IA in FY 2013 is\napproximately $10 million, with other funds coming from reimbursements and internal bureau\ntransfers. For FY 2014 planning, the Chief Information Officer increased the IRM/IA budget\nrequest by an additional $8 million to support specific Department initiatives. IRM/IA is\nsupported by five procurement vehicles with a total value of more than $79 million. IRM/IA is\nalso supported through the Vanguard 2.2.1 contract\xe2\x80\x94a series of the overall Vanguard\nperformance-based contract valued at $2.5 billion.\n\n\n\n\n                                       2\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\n\nExecutive Direction\nThe Information Assurance Role in the Department of State\n\n         IRM/IA was established to address the information security requirements outlined in\nTitle III of the E-Government Act of 2002; however, IRM/IA is not the focal point for all\nDepartment information assurance1 functions. The majority of functions are performed by other\noffices. IRM/IA is not doing enough and is potentially leaving Department systems vulnerable.\nIRM/IA has conceded that other Department elements have a greater role in information security,\ndiminishing the relevance of IRM/IA.\n\n        DS has several offices handling information security elements,2 including information\ntechnology (IT) personnel monitoring information security incidents, assessing cyber security,\nmanaging technical security of facilities, and performing network management, as well as\ndeveloping information security policies and standards for IT personnel. Within other IRM\noffices,3 personnel are responsible for the management and oversight of the Department's\ninformation systems, which includes the Department\xe2\x80\x99s unclassified and classified networks. IRM\nIT personnel monitor network and infrastructure for cyber attacks and risk measures; provide\noperation and maintenance support for all IT infrastructure systems and equipment; and establish\npolicies, processes, and procedures for consolidated bureaus on desktop security guidelines. In\naddition, the Bureau of Intelligence and Research handles all aspects of information security for\nthe Department\xe2\x80\x99s intelligence systems. The Office of the Coordinator for Cyber Issues located in\nthe Secretary of State\xe2\x80\x99s executive office was recently created to coordinate and manage cyber\nsecurity issues within one office as required, both within the U.S. Government and with\ndiplomatic engagements worldwide.\n\n        IRM/IA performs a limited number of information assurance functions, does not have a\nlead role in most of the functions it does perform and, for the most part, only compiles\ninformation generated by others. For example, IRM/IA is tasked with overseeing the ISSO\nprogram, but is not the principal office where ISSO personnel overseas seek information and\nguidance. Several ISSOs surveyed by OIG were not even aware of the involvement of IRM/IA.\nIRM/IA is also tasked to be the Department\xe2\x80\x99s lead in C&A4 activities, yet many bureaus and\noffices complete necessary C&A assessments and documents without the involvement of\nIRM/IA. More significantly, IRM/IA does not have the lead for the most important C&A effort\nin the Department\xe2\x80\x94the OpenNet network. That task is handled by IRM\xe2\x80\x99s Enterprise Network\nManagement Office.\n1\n  According to the National Institute of Standards and Technology, information assurance is a measure of confidence\nthat the security features and architecture of an information system accurately enforces the security policy and is\ncomposed of the degree of availability, confidentiality, accountability, and integrity required.\n2\n  DS offices include the Office of Computer Security, the Office of Information Security, the Computer\nInvestigation and Forensics divisions, and the Office of Security Technology.\n3\n  IRM offices include the Enterprise Network Management Office, the Office of Information Technology\nInfrastructure, and Operational Support division.\n4\n  According to the National Institute of Standards and Technology, C&A is the comprehensive assessment and\napproval of the security controls of an information system to determine the extent to which the controls are\nimplemented correctly, operating as intended, and meeting security requirements. Traditional C&A is performed\nevery 3 years or when a significant change is made. Continuous monitoring is performed on an ongoing basis;\nhowever, it does not replace the C&A requirement.\n\n                                           3\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\n        In light of the lack of active involvement in many of its stated responsibilities, the\nproposed IRM/IA office realignment for an additional deputy position and one more division, as\nwell as the need for some of the current divisions, are not justified by the current level of work\nbeing performed. The possibility of duplicative functions occurring between IRM/IA and other\nDepartment elements is likely. The realignment package is currently being reviewed by the\nBureau of Human Resources, Office of Resource Management and Organizational Analysis, and\nthe package does not provide strong support for approving the realignment proposal. It does not\ninclude most of the documentation the Office of Resource Management and Organizational\nAnalysis requires, which includes an explanation of how the proposed organization will meet the\nDepartment\xe2\x80\x99s management goals, a crosswalk of changes occurring to staff functions, or a\ncommunications plan outlining how IRM/IA is planning to solicit views and input from\nstakeholders. A further analysis of the organization, responsibilities, and workload of IRM/IA is\nnecessary to provide the Department with reassurance that the current and proposed resources\nare justified prior to any approval of office realignment.\n\n       IRM/IA indicated that their management met with the Office of Resource Management\nand Organizational Analysis twice to discuss the organizational assessment since the completion\nof OIG\xe2\x80\x99s inspection. An assessment study is scheduled to begin in June 2013 with tentative\ncompletion by September 2013.\n\nRecommendation 1: The Bureau of Human Resources should direct the Office of Resource\nManagement and Organizational Analysis to perform an organization assessment of the Bureau\nof Information Resource Management, Office of Information Assurance, including a workforce\nand workload balance analysis and a review of similar functions that are being performed by\nother offices in the Department of State. (Action: DGHR)\n\nManagement Direction and Leadership\n\n        The current CISO arrived at the end of September 2012 and with his arrival the\natmosphere in the office has improved. He has focused on rebuilding relationships both\ninternally and externally with other IRM and Department offices. However, attention is needed\nto define the office\xe2\x80\x99s mission and goals and outline its strategic vision.\n\nMission and Goals\n\n         The CISO has not addressed critical management issues. IRM/IA does not have a mission\nstatement outlining a vision for the office and specific goals for each of its three divisions. In\nfact, the CISO was in the process of drafting a mission statement at the end of the inspection. No\ndocument provides a clear connection between the work of IRM/IA and the high-level goals\noutlined by the Chief Information Officer in the Department\xe2\x80\x99s IT Strategic Plan for FYs 2011\xe2\x80\x93\n13. The CISO has not provided division chiefs with priorities based on defined goals. As a result,\nthe staff is not proactive in meeting information security requirements.\n\n        The CISO held nine staff meetings in the first 6 months after his arrival. IRM/IA staff\ncommented that those meetings normally do not provide clarity on what the CISO considers to\nbe office priorities. Many staff commented that they are unaware of the CISO\xe2\x80\x99s activities in\ngeneral and are unable to obtain those answers since he is not seen regularly in the office. The\n\n                                       4\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\ncreation of a mission statement and office goals would assist staff in understanding their work\nrequirements and priorities and improve financial and resource planning.\n\nRecommendation 2: The Bureau of Information Resource Management should develop a\nwritten mission statement for the Office of Information Assurance that includes short-term and\nlong-term priorities and goals for the office and each division. (Action: IRM)\n\nStrategic Planning\n\n        IRM/IA is not engaged with IT strategic planning in the Department. The Department\xe2\x80\x99s\nQuadrennial Diplomacy and Development Review (QDDR) process stresses the importance of\nmultiyear strategic planning Departmentwide as a way to assess policy priorities, anticipate\nchanging requirements, and justify resource requirements. IRM produces 3-year strategic and\ntactical plans with the QDDR goals in mind. With increased concerns about cyber security in the\nDepartment and the Federal government, the importance for the Department to create strategic\ndocuments that reflect broad collaboration is heightened; however, IRM/IA has not actively\nengaged in strategic planning efforts within the Department. These strategic planning efforts\nshould include participating in strategy meetings or collaborating with the IRM Strategic\nPlanning Office\xe2\x80\x94the central office of IRM that facilitates management decisions for planning\npurposes.\n\n         The current Department IT Strategic Plan for FYs 2011\xe2\x80\x9313 contains little mention of\ninformation assurance functions. Nor is information assurance addressed prominently in the IRM\nStrategic Plan for 2014\xe2\x80\x932016. While there are references in these plans to the importance of\nprotecting the Department\xe2\x80\x99s worldwide IT network and information assets, the strategy and\ncrosswalk for addressing these factors with the involvement of IRM/IA is not detailed in the strategic\nor tactical plans\xe2\x80\x99 goals and objectives.\n\n         IRM/IA needs to engage with all offices in the Department that perform or are engaged in\ninformation security functions for strategic planning purposes. For example, IRM/IA should\ncoordinate its strategic planning with DS as many of the security functions are handled by DS\nprograms and personnel. One of the three goals listed in the DS FY 2013 Bureau Strategic and\nResource Plan5 is to \xe2\x80\x95securely enable the Department\xe2\x80\x99s global cyber operations and information\nassets.\xe2\x80\x96 The goal includes three performance indicators and targets related to systems operations,\ncapability to identify and address threats, and training on cyber awareness. The actions of DS\nillustrate more consideration and preparation than IRM/IA, which by statute is the lead office for\ninformation assurance and security. Mission clarity and resource alignment should be reflected in\nthe work being performed by both bureaus in order to effectively manage resources and funding\nrequirements.\n\nRecommendation 3: The Bureau of Information Resource Management should revise its\nDepartment of State Information Technology Strategic Plan to include the Office of Information\nAssurance activities. (Action: IRM)\n\n\n\n5\n  In December 2011, the Department issued 11 STATE 124737, which discontinued the Bureau Strategic and\nResource Plan. The Bureau Resource Request (three-year strategic plans, with shorter annual resource requests)\nreplaces the Bureau Strategic and Resource Plan beginning with the FY 2014 budget cycle.\n                                           5\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\n        IRM/IA does not have an office strategic plan. There is no evidence of IRM/IA\nmanagement engaging in a comprehensive strategic review to assess its current capabilities and\nfuture needs. The CISO and his division chiefs have not reviewed operations to determine what\ninformation assurance and security functions they are required to perform or are currently\nhandling based on statutory requirements. There is no record of IRM management discussing\nhow the office is performing those functions and whether sufficient resources and funding is\navailable to meet future needs.\n\n        The information assurance landscape is constantly changing as the U.S. Government\ncontinues to address cyber security concerns involving government operations and critical\ninfrastructure. IRM/IA, under the direction of the CISO, needs to participate in these initiatives\nwithin the Department. Proper strategic planning will assist in that endeavor.\n\n           Informal Recommendation 1: The Bureau of Information Resource Management\n           should require the Office of Information Assurance to develop an office strategic plan\n           that aligns with its mission and goals and with the Department of State\xe2\x80\x99s Information\n           Technology Strategic Plan.\n\n\n\n\n                                       6\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\n\nProgram Implementation\nPolicy and Outreach\n\n        Policy and outreach in IRM/IA has been inconsistent and ineffective. IRM/IA does not\nupdate Department regulations\xe2\x80\x94the Foreign Affairs Manual (FAM) and Foreign Affairs\nHandbook (FAH)\xe2\x80\x94to reflect current information security responsibilities among personnel or to\nshow alignment with statutory requirements. Collaboration between IRM/IA and other\nDepartment offices performing information security functions is very limited. Internal and\nexternal outreach efforts are neither extensive nor do they include any internal mechanism by\nIRM/IA management to collaborate and share information gathered during outreach activities\nwith its divisions that perform the respective functions.\n\nInformation Technology Policy\n\n        The CISO is charged with developing and maintaining the Department\xe2\x80\x99s information\nsecurity policies per statutory requirements set forth in FISMA. These include developing,\nimplementing, and maintaining an agencywide information security program plan. This\nresponsibility is coordinated with DS, which handles physical protection and implementation of\noperational information security programs. IT policies developed by IRM are addressed in 5\nFAM and 5 FAH regulations, while IT policies managed by DS are outlined in 12 FAM and 12\nFAH regulations. The Policy, Liaison, and Reporting Division was established within IRM/IA to\nsupport the CISO in developing Departmentwide information security policies and plans.\n\n        Many portions of IRM 5 FAM and 5 FAH regulations have not been updated since\nFebruary 2007. This is a concern because Department IT personnel obtain guidance and\ninstructions from these specific FAM and FAH regulations to administer their information\nsecurity responsibilities. Further, many of these FAM and FAH regulations stem from legislation\nand guidelines outlined by Congress, the White House, the National Institute of Standards and\nTechnology, and the Office of Management and Budget, to whom the Department must report\nregarding its information security posture. The Department is reporting on its information\nsecurity posture using outdated requirements.\n\n        IRM/IA is making changes to FAM and FAH regulations with little coordination and\ncollaboration with other offices within the Department that play a role in information security\nfunctions. These offices include other IRM offices, DS offices, the Bureau of Intelligence and\nResearch, and the Office of the Coordinator for Cyber Issues. Representatives from these offices\ninformed the OIG team that narrative input and clearances were not sought by IRM/IA for IT\nFAM and FAH changes. For example, the language in 12 FAM that is handled by DS does not\nmatch language in 5 FAM that is handled by IRM. Terminology for IT functions and personnel\nare often outdated.\n\n        Additionally, IRM FAM and FAH policies do not mention the latest technologies and\nefforts within the Department. For example, there is little mention and guidance for handling\nsocial media. The limited guidance in 5 FAM was written in 2010 and is outdated. There is no\nmention of cloud computing in 5 FAM, which is surprising considering that cloud computing is\n\n\n                                       7\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\ndescribed as a strategic goal for IRM in its IT Strategic Plan. These types of policy development\nare the responsibility of IRM/IA, and more importantly the CISO, per statutory requirements.\n\n      IRM/IA management indicated that it is working with DS and IRM\xe2\x80\x99s Governance,\nResource, and Performance Management Office to create new policies and update existing 5\nFAM policies related to information and cyber security. The office anticipates the process should\nbe completed by February 2014.\n\nRecommendation 4: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Diplomatic Security, should direct the Office of Information Assurance to update\nVolume 5 of the Foreign Affairs Manual and Foreign Affairs Handbook. (Action: IRM, in\ncoordination with DS)\n\nRecommendation 5: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Diplomatic Security, should implement a clearance process for revisions and\nupdates to the Foreign Affairs Manual and Foreign Affairs Handbook that includes the review\nand approval of both bureaus. (Action: IRM, in coordination with DS)\n\n        Detailed guidance on IT security exceptions in FAM and FAH regulations is needed.\nCurrently, the language in 12 FAM 600 and 5 FAM 600 does not provide clarity on what\nconstitutes an IT security exception and what procedures should be followed for requesting\napproval. The only tool available is an informal procedural outline on the IRM/IA Web site.\n\n        The Global Oversight Division coordinates and tracks all IT security exceptions.\nExceptions to DS policies contained in 12 FAM are sent from the Global Oversight Division to\nthe Office of Computer Security in DS for review prior to being forwarded to the CISO for\napproval. The 5 FAM exceptions are maintained within IRM/IA for review and approval. The\ndivision tracks all exceptions through a SharePoint library, which prompts an automatic notice\nfor both the post and IRM/IA regarding expiring approved exceptions.\n\n       A review of recent IT security exceptions identified inconsistent procedures in the\nrequests from the originator. Further, results of the OIG survey sent to domestic and overseas\nISSOs showed confusion among a large amount of respondents regarding IT security exceptions.\nMore detailed policies on IT security exceptions are critical for the Department\xe2\x80\x99s compliance\nwith IT security requirements.\n\n       IRM/IA management informed the OIG team that they are working closely with DS to\nupdate the relevant 5 FAM and 12 FAM sections. Further, IRM/IA officials agree that it is\nimperative for their staff and DS to update the documents in a parallel manner to avoid conflict\nand confusion. IRM/IA anticipates the targeted completion to be June 2014.\n\nRecommendation 6: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Diplomatic Security, should establish Foreign Affairs Manual and Foreign Affairs\nHandbook policies on information technology security exceptions, including descriptions of\ntypes of exceptions and procedures for requesting waivers. (Action: IRM, in coordination with\nDS)\n\n\n                                       8\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\nOutreach Efforts\n\n        IRM/IA management needs to share information gathered from outreach efforts with its\nstaff and participate regularly in Departmentwide IT working groups. Under the previous CISO,\nthe office did not engage in outreach activities; however, the current CISO is focusing on them.\nThe CISO maintains regular contact with the Office of Management and Budget, the Department\nof Homeland Security, the U.S. Agency for International Development, and the Office of the\nDirector of National Intelligence. During the inspection, a meeting was also held with other\ngovernment CISOs to enhance collaboration. The Policy, Liaison, and Reporting Division, which\nis responsible for administering outreach activities for IRM/IA, serves as the liaison between\nIRM/IA and system owners.\n\n        IRM/IA management is focused on building relationships outside the Department;\nhowever, that same focus is also needed on its outreach activities within the Department\xe2\x80\x94such\nas with DS. IRM/IA co-chairs various working groups with DS but does not send participants to\nattend these meetings. For example, both bureaus jointly host the Awareness, Training,\nEducation, and Professionalism working group responsible for developing a training plan for\ncyber security. IRM/IA has not attended the working group meetings for some time based on\nattendance records. Further, IRM/IA has not participated regularly in Cyber Security Policy\nDevelopment working group meetings, and therefore is not involved in policy updates and\nchanges to Department regulations based on cyber security matters. IRM/IA management needs\nto strongly encourage its staff to maintain regular contact with peers and attend Department\nmeetings.\n\n         IRM/IA management needs to share information gathered from Department meetings\nwith its staff to ensure employees have the most relevant and current information to perform\ntheir tasks. IRM/IA is not using any collaborative tools to share information. As a result, IRM/IA\nstaff members have a mixed level of awareness and understanding on their relevant projects and\nDepartment efforts.\n\nRecommendation 7: The Bureau of Information Resource Management should require the\nOffice of Information Assurance to participate regularly in Departmentwide information\ntechnology working group meetings and share learned information from such meetings with its\nstaff. (Action: IRM)\n\nInformation Systems Security Officer Program\n\n        No single Department bureau has full ownership of the ISSO program. Both IRM and DS\ndirectly or indirectly support the ISSO program, resulting in confusion among personnel on\nrequirements and guidance. The involvement of both bureaus also wastes personnel resources.\nISSOs are responsible for managing information security at each office or post. At overseas posts\nthe function is typically performed as collateral duty and includes implementing information\nsecurity policies and guidelines and ensuring that systems and networks are operating at\nacceptable levels of risk. Domestically, the position is often full time and typically includes\nspecial responsibilities involving bureau-specific applications.\n\n     DS has taken a more active role in the ISSO program. The DS Security Engineering and\nComputer Security Training Division provides ISSO training to IT personnel, which includes\n                                       9\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\ncompiling course content and interacting with the Foreign Service Institute on class attendance.\nDS conducts and funds ISSO training either at selected posts worldwide or at its Washington,\nDC, training center and also manages the Cyber Security Awareness program for all Department\npersonnel. DS personnel developed the ISSO checklist used by IT personnel to fulfill the\nrequirements set forth by the Department in performing ISSO-related responsibilities. The\nchecklist is an important tool to identify and prioritize how ISSOs should implement their\nresponsibilities and is the cornerstone for the ISSO training course. Additionally, DS has an\nactive Web resource managed by the Office of Computer Security for ISSOs to seek advice on\nIT security matters. Department policy covering ISSO duties is also more detailed in 12 FAM\nand FAH regulations that are managed by DS than in 5 FAM and FAH regulations handled by\nIRM.\n\n       Within IRM, IT personnel at regional information management centers provide ISSOs\nwith operational guidance and support. IRM also has a separate program office in its Security\nManagement branch to support ISSO functions for IT-consolidated domestic bureaus. The\nbranch establishes policies, processes, and procedures for consolidated bureaus\xe2\x80\x99 compliance with\ndesktop security guidelines and monitors systems for risks and security measures.\n\n         In addition, the Global Oversight Division in IRM/IA has an informational support role.\nThe division maintains an electronic educational library that contains templates, Federal and\nDepartment guidance, and accreditation reports and tracks exceptions to IT security policy. The\ndivision has two email addresses to assist ISSOs. The response time by the Global Oversight\nDivision varies depending on which email address is used and often by the rank of the individual\nrequesting assistance. An ISSO blog was being coordinated by the Global Oversight Division,\nbut it is no longer active. Currently, an ISSO discussion board is used to promote dialogue\namong ISSOs.\n\n        The division of responsibilities between DS and IRM, including policy development and\nimplementation, training, reporting guidance, and information sharing, reduces accountability for\nIT security management and increases ambiguity among personnel. The consolidation of the\nISSO program within one bureau would enable the Department to better align its technical\nexpertise, personnel, and financial resources to support this vital information security function.\n\nRecommendation 8: The Office of the Under Secretary for Management, in coordination with\nthe Bureaus of Diplomatic Security and Information Resource Management, should assign\nresponsibility of the information systems security officer program to a single bureau. (Action\nM/PRI, in coordination with DS and IRM)\n\nCertification and Accreditation Program\n\n        The CISO has directed the System Authorization Division to take the lead in the\nDepartment\xe2\x80\x99s C&A activities, yet it does not have a leadership role in the C&A process. Under\nthe previous CISO, the Department made a concerted effort to devote resources to move away\nfrom traditional C&A activities and reporting to continuous monitoring, which would\ncontinuously monitor the security controls implemented within systems. Proponents of\ncontinuous monitoring believe it sufficiently meets requirements for systems authorizations\nevery 3 years, as well as requirements to report significant systems deficiencies to the Office of\nManagement and Budget. After the departure of the previous CISO, the Chief Information\n                                       10\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                           SENSITIVE BUT UNCLASSIFIED\n\nOfficer at that time decided to revert to traditional C&A reporting. However, at that point the\nDepartment had diverted significant resources away from C&A reporting, and as a result, a\nformal C&A has not been completed for the primary general support systems for the Department\n(OpenNet and ClassNet) since 2007.\n\n         The incomplete transition from traditional C&A reporting to continuous monitoring has\ncreated uncertainty about which direction the Department will adopt and who will be\nresponsible. Survey responses from system owners indicate that many bureaus and offices are\ncompleting assessments and documents without the involvement of IRM/IA, with a few bureaus\nacquiring their own contract support for their C&A work. Further, the most important C&A\nactivity for the Department\xe2\x80\x94the OpenNet network\xe2\x80\x94is done outside of IRM/IA, with IRM/IA\nonly attending meetings. Employees in the System Authorization Division, which includes\ncontract staff via the Vanguard 2.2.1 scope, are handling few C&A activities. These C&A\nactivities include the development of C&A tools and guidance and review of C&A packages\nonce submitted by the system owners for approval. However, there are issues for each of these\nactivities performed by IRM/IA, which are detailed below.\n\nTools and Guidance\n\n         System owners described IRM/IA tools as difficult to use and not user-friendly. Many\ncommented that the tools would lock up while entering content, requiring information to be\nreentered. System owners attempted to share their frustrations regarding C&A tools with\nIRM/IA, but to no avail. This led system owners to research other means to complete C&A\nactivities. One system owner conveyed that her bureau was using a different tool for storing\nC&A information than the one provided by IRM/IA.\n\n        For example, the Plan of Action and Milestones Toolkit was cited as particularly weak.\nThe toolkit is used to track security vulnerabilities as part of the C&A process. It is a stand-alone\ndatabase only accessible by IRM/IA System Authorization Division staff. System owners are\nprovided with a printed spreadsheet to note by hand any updates. These are then entered by\nIRM/IA staff, reducing the level of accountability for the system owner. By including manual\nprocesses, IRM/IA is contradicting the main reasons to use an electronic means\xe2\x80\x94to reduce paper\nand improve efficiency. Further, Plan of Action and Milestones Toolkit for multiple systems,\nwhich detail security vulnerabilities with the systems and must be protected, are stored\nimproperly by the System Authorization Division. IRM/IA staff is storing information in shared\nfolders on systems operating at lower security classification levels than the information being\nstored.\n\n        System owners also expressed concerns regarding iPost, a database that aggregates\ninformation derived from diagnostic tools run by other Department offices. The system owner\nfor iPost is IRM\xe2\x80\x99s Enterprise Network Management Office; however, IRM/IA staff promotes its\nusage, manage its everyday support, and answer questions from the users. The iPost database\nintegrates selected performance, security, and configuration data according to IRM/IA risk\nmeasurement criteria to present a single simplified interface. System owners commented that on\noccasion iPost reported scores lower than they should be. System owners are held accountable\nfor the low scores even after reporting mistakes to IRM/IA. IRM/IA management reported that a\nchange in the criteria used by iPost creates such a situation but sent no Departmentwide\nnotification to inform users of any changes.\n                                        11\n                           SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\n        The IT Asset Baseline, now known as iMatrix, is another tool used by system owners.\nThe tool is used to record all attributes associated with each Department system, including\nsecurity classification and funding. System owners are asked to report on each information\nsystem within iMatrix and regularly update the data. IRM/IA is responsible for validating the\nactive period for each system and requires each system to have the necessary authorization to\noperate. However, several reported systems in iMatrix had incorrect information. For example,\nseveral systems were shown as having an expired authorization to operate, but in reality the\nsystems had received extensions to continue to operate.\n\n         Many system owners cited issues with the guidance provided by IRM/IA for C&A\nactivities and the constant level of changes occurring to templates without any notification or\nconsideration of the ramifications to the entire C&A process. The C&A Toolkit on the IRM/IA\nWeb site is a reference point for system owners to obtain information on the latest changes to\ntemplates and guidance. There is no governance process within IRM/IA regarding why, how, or\nwhen template changes are made to the C&A Toolkit. During the inspection, the IRM/IA staff\nwas making changes to templates in an ad hoc manner; the staff told the OIG team that ad hoc\nchanges were normal. With frequent changes made to C&A guidance and templates, system\nowners often proceed with the C&A process and are informed at completion that their package is\nincorrect. Over 90 percent of C&A packages submitted during the course of the inspection were\neither incomplete or unusable due to a change that occurred to the guidance without system\nowners being notified.\n\n       IRM/IA management agrees with the need to survey system owners regarding their issues\nwith the C&A tools and plans to issue a survey tool to gather information shortly.\n\nRecommendation 9: The Bureau of Information Resource Management should survey system\nowners on issues they are encountering with certification and accreditation tools and take\nnecessary corrective steps to improve the certification and accreditation tools, guidance,\ntemplates, and procedures. (Action: IRM)\n\nRecommendation 10: The Bureau of Information Resource Management should develop a\ncontrol process for changes to certification and accreditation templates and guidance that\nincludes advance notice to system owners of pending changes. (Action: IRM)\n\nReview by Assessors\n\n        C&A packages are reviewed by a group of assessors in the IRM/IA System Authorization\nDivision. These personnel are contractors who perform C&A work under the scope of the\nVanguard 2.2.1 contract. Many system owners noted in their OIG survey responses that the level\nof interaction and review varied with each assessor. Some C&A packages received close scrutiny\non all required elements, such as the appropriate level of security categorization for the system\nand the level of risk assessment performed, while others did not. Some system owners described\nassessors as lacking an understanding of the C&A process and the Department\xe2\x80\x99s operating\nenvironment.\n\n      The level of review performed by the assessors would benefit from the identification\nof common security controls for Department systems. Common security controls identify the\nmanagement, operational, and technical safeguards or countermeasures needed for\n                                       12\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\nDepartment systems to protect the confidentiality, integrity, and availability of its\ninformation. Many Department systems are dependent on parent-child relationships to the\nDepartment\xe2\x80\x99s primary enterprise general support systems\xe2\x80\x94OpenNet and ClassNet. As a\nresult, many systems submitted for C&A approval by system owners would inherit the same\nlevels of security categorization and controls as the primary system. The use of common\nsecurity controls allows system owners and the C&A assessors to have a baseline as a\nstarting point to facilitate a more consistent level of review and security for all Department\nsystems. To date, IRM/IA has not taken the necessary steps to identify the common controls\nfor its systems or disseminate this information to the relevant individuals.\n       IRM/IA management informed the OIG team that their office has taken the lead in the\ndevelopment of unclassified common controls and has been working on the effort for the last 7\nmonths, with anticipated completion by the end of the calendar year.\n\nRecommendation 11: The Bureau of Information Resource Management should identify the\ncommon security controls for its Department of State systems. (Action: IRM)\n\nRecommendation 12: The Bureau of Information Resource Management should document the\nnecessary review steps to be performed by each certification and accreditation assessor. (Action:\nIRM)\n\nExpired Authorizations to Operate\n\n        With the frequent changes to guidance, non-user-friendly tools, and varied degrees of\nreview being performed by assessors, the C&A process managed by IRM/IA is ineffective. As a\nresult, many systems have expired authorizations to operate. Despite being the lead office for\ninformation assurance, IRM/IA is only responsible for completing the C&A packages for 56\npercent of the Department\xe2\x80\x99s 309 systems. The remainder of the C&A packages are handled by\nDS and the Bureau of Consular Affairs. Of the total number of Department systems requiring\nC&A, 52 systems currently have expired authorizations to operate. IRM/IA is responsible for 36\nof those lapsed systems, which represent 69 percent of the total lapsed systems. Further, the\nexpired authorizations to operate for DS and the Bureau of Consular Affairs are recent\noccurrences. Delinquent systems under the responsibility of IRM/IA have been operating with\nexpired authorizations, in many cases for 2 years or more.\n\n        When questioned, IRM/IA management stated that the responsibility for completing\nsystem authorizations is with system owners. System owners have a responsibility to complete\nthe necessary documentation and assessments, but ultimately it is the CISO\xe2\x80\x99s responsibility to\nverify that systems authorizations have been performed on all Department systems in accordance\nwith Title III of the E-Government Act of 2002.\n\n       The CISO has discussed plans to conduct a workload analysis of the C&A process to\ndetermine whether the requirement to have a C&A review performed every 3 years could be\ncompleted more effectively. The CISO is considering splitting the number of Department\nsystems into three equal parts to avoid a flux in the level of work and to ensure that C&A\nassessors would have a constant flow of work. This could be a viable option after further review;\nhowever, the CISO\xe2\x80\x99s top priority should be to address expired authorizations to operate and to\nmitigate any potential security vulnerabilities.\n\n                                       13\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\nRecommendation 13: The Bureau of Information Resource Management should develop an\naction plan to address all Department of State systems with expired authorizations to operate.\n(Action: IRM)\n\nCertification and Accreditation Reimbursements\n\n       IRM/IA does not have an effective process for tracking C&A reimbursements received\nfrom bureaus. Department bureaus fund a predetermined amount to IRM/IA for its assistance in\nperforming risk assessments as part of C&A efforts for the bureaus\xe2\x80\x99 systems. C&A\nreimbursement amounts are maintained in the Department\xe2\x80\x99s Corporate Budget Allocation\nTracking System (CBATS) and an internal spreadsheet maintained by the IRM/IA System\nAuthorization Division.\n\n       IRM/IA provided the OIG team with documentation showing C&A reimbursements\nreceived for the last 2 fiscal years. The documentation showed that in FY 2012, the CBATS\nshowed a total for C&A reimbursements of $562,058, while the IRM/IA funding spreadsheet\nshowed a total of $258,944. For FY 2011, the CBATS showed a total of $551,490, and the\nIRM/IA spreadsheet displayed a total of $2,770,057.\n\n         One factor contributing to the difference in C&A reimbursement totals is that IRM/IA\nincludes reimbursements for systems under the Vanguard 2.2.1 contract, which IRM\nmanagement decided not to include since those systems are covered under the contract cost.\nFurther, no one in IRM/IA is assigned the responsibility to reconcile the C&A reimbursements\nlisted in the CBATS against the IRM/IA funding spreadsheet. Bureaus have also been unable to\nvalidate the accuracy of C&A reimbursements reported since IRM/IA no longer provides close-\nout reports to system owners. Without accurate reporting, IRM/IA cannot guarantee that they are\nreceiving the correct amount for reimbursements, and bureaus may be due refunds for\noverpayments made for C&A activities.\n\n        IRM/IA informed the OIG team in their report comments that the office is in the midst of\nestablishing a process to verify associated C&A costs incurred by system owners. Cost\naccounting procedures are being developed to ensure system owners are only paying for work\ndirectly associated with the cost of completing their C&A tasks. Once the new cost accounting\nprocedures are established, a close-out report will be provided to the systems owners for cost\nverification.\n\nRecommendation 14: The Bureau of Information Resource Management should assign an\nindividual to review and reconcile certification and accreditation reimbursements between the\nCorporate Budget Allocation Tracking System and the Bureau of Information Resource\nManagement\xe2\x80\x99s internal funding spreadsheet. (Action: IRM)\n\nRecommendation 15: The Bureau of Information Resource Management should provide system\nowners with close-out reports for verification of associated certification and accreditation costs.\n(Action: IRM)\n\n\n\n\n                                       14\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\niPost Development\n\n        IRM lacks a defined project management methodology for iPost. A project management\nmethodology defines the recommended procedures by which an organization envisions, defines,\nbuilds, deploys, operates, and maintains its systems and applications. The absence of such a\nmethodology has resulted in a lack of reliability of tools used by Department personnel for\nreporting systems and their associated security measures.\n\n         For example, iPost is owned by IRM\xe2\x80\x99s Enterprise Network Management Office, but its\neveryday management and support to users is handled by IRM/IA. The tool has been widely\npromoted in the Department and among other Federal agencies. iPost was recognized with\nnumerous government recognitions and awards.6 Nevertheless, the OIG team found no project\nmanagement documentation or evidence of the office following any project management\nmethodology for the development and maintenance of iPost during its life cycle. IRM had no\nplanning documents or budget information for iPost. There was no source code documented to\nillustrate how information is aggregated to reflect the scores shown and reported by the tool.\nIRM management was unable to explain how the tool was developed and what network and\nsecurity information is actually being collected and used. IRM/IA is in the process of reviewing\niPost in hopes of understanding its origin. Additionally, iPost is one of the Department\xe2\x80\x99s systems\nthat does not have a current authorization to operate. The CISO hopes to understand what\ninformation is collected and used for iPost scores and obtain a better understanding of the source\ncode so that future program changes can be made.\n\nRecommendation 16: The Bureau of Information Resource Management should develop project\nmanagement documentation for iPost. (Action: IRM)\n\nContent Management\n\n        Content organization and management of the IRM/IA Web site and shared network needs\nto be improved. The IRM/IA Web site contains outdated information and reference materials.\nToolkits do not include the current version of templates required to be used by system owners or\nreferences to current guidelines. Additionally, the IRM/IA Web site has no background\ninformation for visitors that explains the functions performed by IRM/IA and what role the office\nplays in the Department. There is no posted organization chart with details on staff, management,\nor the new CISO. Additionally, the IRM/IA shared network contains many items that are not\norganized in a logical and easy to use manner. The shared drive contains more than 240 folders\nas well as additional random documents. The labeling of the folders is not detailed enough to\nprovide content clarity. Many folders contained documents more than 5 years old.\n\n       The lack of a content manager and defined processes have resulted in IRM/IA staff being\nunable to locate information in a timely manner, including documents pertaining to C&A\n\n6\n  The Department\xe2\x80\x99s Risk Scoring program, which is implemented via iPost, was awarded the National Security\nAgency\xe2\x80\x99s 2009 Frank B. Rowlett Award for Organizational Achievement, recognizing the Department for making a\nsignificant contribution to the improvement of national information systems security and operational information\nassurance readiness. The System Administration, Networking, and Security Institute awarded the Office of the Chief\nInformation Officer in 2011 the U.S. National Cybersecurity Innovation Award for significantly improving the\neffectiveness of the nation's cyber security by creating, deploying, and sharing the iPost\xe2\x80\x99s Risk Scoring program.\n\n                                           15\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\nactivities and contract management. Currently, one contractor maintains the IRM/IA Web site,\nbut the individual does not request content updates from the divisions or review the material on a\nregular basis. Also, this individual does not oversee the shared network and its contents. An\nassigned content manager and defined process would improve content relevancy, timeliness, and\naccuracy.\n\nRecommendation 17: The Bureau of Information Resource Management should assign a\ncontent manager and define a content management process for managing the content on its\nOffice of Information Assurance Web site and shared network. (Action: IRM)\n\n\n\n\n                                       16\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\n\nResource Management\nBudget and Funding\n\n        The leadership of IRM/IA has not given sufficient attention to assessing and addressing\nits operationally mandated requirements for information assurance, leading to a widespread\nbelief among staff that the office does not have enough financial resources to meet its needs.\nIRM/IA has not carried out its budget planning effectively in recent years. The OIG team could\nnot validate whether IRM/IA has not been able to meet priorities since the office has not defined\nany priorities. The lack of adequate involvement in budget formulation by IRM/IA has led to the\noffice having minimal funds available for staff travel and training.\n\n       The baseline budget figure for IRM/IA operations are funded out of Diplomatic and\nConsular Programs and Worldwide Security Protection program funding, which has remained at\n$5.9 million for FYs 2011\xe2\x80\x9313. The overall funding for IRM/IA is approximately $10 million per\nyear when additional funds from reimbursements and internal IRM transfers are included. For\nFY 2014, the previous Chief Information Officer directed an additional $8 million to IRM/IA to\nsupport C&A initiatives, continuous monitoring, and controls needed for safeguarding classified\ninformation.\n\n       IRM/IA did not participate in the IRM budget formulation process in the past, and no\nprogress has been made under the new CISO. IRM/IA did not participate in budget request calls\nfor FY 2014. Also, there is no evidence of collaboration by IRM/IA with other IRM offices or\nother Department entities for analyzing and capturing the broader budgetary requirements to\nmanage the information security activities of the Department.\n\n         As part of the budget formulation for FY 2015, IRM plans to use a zero-base budgeting\napproach. This approach will require all of IRM to build requirements from the ground up to\ninclude specific justifications, objectives, assumptions, proposed performance targets, and\nindicators. It will include accomplishments for the prior 3 fiscal years, cost savings and\navoidance projections, and a focus on identified risks. IRM management believes the zero-base\napproach will more closely align budget planning with strategic and resource planning under the\nQDDR process and with guidance from the Bureau of Budget and Planning. IRM/IA can play a\nvital role in helping ensure that information security requirements are met with a zero-base\nbudgeting approach. Most importantly, IRM/IA can ensure sufficient resources are available to\ncarry out an effective information security program.\n\nRecommendation 18: The Bureau of Information Resource Management should include\ninformation security activities performed by the Office of Information Assurance in its budget\nsubmission to the Department of State. (Action: IRM)\n\nContract Management\n\n       IRM/IA lacks adequate management controls and procedures for its contract\nmanagement. Deficiencies exist in oversight, file maintenance, and the assignment and\nperformance of contracting officer\xe2\x80\x99s representative (COR) and government technical monitor\nresponsibilities.\n\n                                       17\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\n        IRM/IA manages five procurement vehicles with a value of more than $79 million.\nIRM/IA management is examining four of the procurement vehicles\xe2\x80\x94one contract, two task\norders, and a blanket purchase agreement\xe2\x80\x94with a total value of $19 million and plans to end\neach at their respective option year. The fifth procurement vehicle\xe2\x80\x94the IRM Vanguard 2.2.1\ncontract\xe2\x80\x94is in the second of 9 option years. The IRM/IA share of the Vanguard 2.2.1 contract is\napproximately $19 million through the current option year, with a total estimated value of $60\nmillion if all option years are exercised. The CISO plans to execute new contracts to provide\noffice administration and data management coverage and to find an alternative means of\nproviding C&A services currently provided through the Vanguard 2.2.1 contract\xe2\x80\x94the portion of\nthe overall IRM Vanguard contract reviewing the Department\xe2\x80\x99s network and risk management.\n\nManagement Oversight\n\n        IRM/IA staff is not overseeing contracts effectively. Responsibilities of the COR and\ngovernment technical monitor are assigned to individuals without the technical expertise to\nreview the work being performed. Documentation is incomplete and lacks budget documents,\nlabeling, or evidence of reconciliation of supporting documents.\n\n        IRM/IA has had two individuals\xe2\x80\x94the Policy, Liaison, and Reporting Division chief and\none staff member\xe2\x80\x94managing all of its procurement vehicles. After the departure of the division\nchief at the beginning of this inspection, all remaining responsibilities were transferred to the\nstaff member. This individual is responsible for tracking funds, maintaining accounting records,\napproving invoices, and authorizing payments and is doing so without having daily interaction\nwith the contractors or their work and with inadequate separation of duties. While necessary\nCOR training was taken by both individuals, no verification that continuous education and\ntraining was taken by the division chief to maintain his certification was done. The former\ndivision chief did not maintain documentation, resulting in the staff member assuming the\nresponsibilities with little understanding of past actions. There was no information detailing\ndeliverables, payments, balance of funds remaining, or delegations of authority. As a result,\nIRM/IA did not experience a smooth transition of contract responsibilities but spent a\nconsiderable amount of time locating required information during the OIG inspection.\n\n         Contract documentation showed numerous instances of incomplete files, including some\nwithout any required documents, labeling, or reconciliation. For example, one contract with a\nceiling of $2 million had inconsistencies in the deliverables and review process for payment. The\ncontractor submits deliverables electronically to the CISO and COR, while providing hard-copy\ndeliverables to another individual in the office for uploading to the office\xe2\x80\x99s SharePoint site. The\nfiles are not readily identifiable or organized, so it is difficult to match the deliverables to the\npayments received. In fact, the contractor emailed the CISO and COR requesting payment for\nservices with no deliverables attached for verification of services received. Further, the\ncontractor provides invoices with charges for other direct costs such as travel and related\nexpenses; however, clearer explanations of expenses are needed to provide management with\nclarification as to what the expenses relate.\n\n      Payments are also being made without sufficient management oversight. An invoice\nshowed IRM/IA overpaid a contractor and, in one instance, erroneously paid for a deliverable in\nadvance of the date it was delivered. IRM/IA principals could not locate deliverables to support\npayments and none of the personnel in IRM/IA were reviewing payments on a regular basis.\n                                       18\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\n        IRM/IA does not maintain a single repository detailing all of its respective contracts.\nManagement could not provide the OIG team with details on contract scope, modifications,\naward dates, required deliverables, and invoice payment information. On one contract, the COR\nwas not aware whether funds were available and had obligated the contract over its ceiling.\nAnother example of mismanagement involves IRM/IA management approving invoices without\nauthorization from the government technical monitor, and management was unable to explain\nyears of contract inactivity on a particular task order. As a result, the Office of the Procurement\nExecutive in the Bureau of Administration is requesting IRM/IA to deobligate $2 million of the\n$2.5 million task order if the task order is not completed by the end of FY 2013\xe2\x80\x94putting the\noffice at risk of losing $2 million that could be used toward other office efforts.\n\n         Management is unable to verify the accuracy of reported costs. The invoices for another\ntask order listed the number of hours worked by labor category, while the associated timesheets\nlisted the individuals by names. Neither document links the individuals to the labor category and\nhours worked. The scope of the work has decreased significantly over the years and management\nverifies the hours of the few remaining contractors through personal interactions. The task order\nwill terminate at the end of FY 2013 and IRM/IA is planning to execute another contract to\nreplace it. Prior to doing so, IRM/IA should compile a breakdown of work and individuals\nassigned to this task order to verify cost accuracy. IRM/IA was counseled on the need to have\ncomplete documentation to verify labor hours for cost accuracy.\n\n           Informal Recommendation 2: The Bureau of Information Resource Management\n           should verify the individuals assigned and the hours worked on the time and materials\n           procurement vehicle.\n\n       IRM/IA management is aware of the internal control weakness caused by having one\nindividual handle all contract responsibilities with little ability to oversee the work being\nperformed. The CISO plans to assign contract management responsibilities to other IRM/IA staff\nmembers to provide adequate oversight and separation of duties. However, no corrective actions\nwere taken during the course of the inspection.\n\nRecommendation 19: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Administration, should assign the responsibilities of the contracting officer\xe2\x80\x99s\nrepresentative and government technical monitor for the Office of Information Assurance\ncontracts to individuals with involvement in the work performed by the contractors. (Action:\nIRM, in coordination with A)\n\nRecommendation 20: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Administration, should require the assigned contracting officer\xe2\x80\x99s representative\nand government technical monitor to maintain complete contract files. (Action: IRM, in\ncoordination with A)\n\nRecommendation 21: The Bureau of Information Resource Management should implement an\ninternal tracking mechanism for the management of Office of Information Assurance contracts.\n(Action: IRM)\n\n\n\n\n                                       19\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                           SENSITIVE BUT UNCLASSIFIED\n\nCentral Repository\n\n        Contract documents are kept in several locations by IRM/IA staff, including in personal\nemail files, an electronic library site, on the shared drive, or in hard copies. Complete contract\nfiles were not provided and IRM/IA was unable to locate missing documents, resulting in staff\nproviding piecemeal documentation for OIG review. IRM/IA is in the process of scanning and\nuploading older files to its SharePoint site, but the process is illogical and unorganized. There are\ninconsistent naming conventions, no identification of the files or their contents, and no grouping\nof documents pertaining to specific contracts.\n\nRecommendation 22: The Bureau of Information Resource Management should establish a\ncentral repository for Office of Information Assurance contract documentation. (Action: IRM)\n\nContractors\xe2\x80\x99 Access to Shared Folders\n\n        Contractors have inappropriate access to contract files. For example, third party\ncontractors had access to folders that were unrelated to their assigned responsibilities. These\nfolders contained government controlled information, including budget documents, contract\nbidding documents, and other proprietary information. Without proper procedures, the ISSO is\nunable to control personnel access rights, resulting in IRM/IA having the risk of sensitive\nmaterials being viewed by unapproved personnel and contractors potentially having an unfair\nadvantage in contract procurement matters.\n\nRecommendation 23: The Bureau of Information Resource Management should require the\nOffice of Information Assurance to implement procedures for granting system access to its\npersonnel. (Action: IRM)\n\nRecommendation 24: The Bureau of Information Resource Management should require the\nOffice of Information Assurance to review the system access rights of its contract staff for\nviewing folders on the shared network and restrict permissions as appropriate. (Action: IRM)\n\nInherently Governmental Functions\n\n        Several IRM/IA contractors are performing inherently governmental functions. These\nfunctions include drafting responses to OIG audit reports and reviewing and clearing pending\nlegislation on behalf of IRM/IA. In addition, contractors appear to be performing services and\nactions that may be inherently governmental and require closer monitoring. One contractor could\nview emails sent to the CISO, allowing the individual access to potentially confidential or\nsensitive materials. Contractors were also responding to Department officials on policy-related\nissues. Further, contractors were handling personnel matters including interacting with the\nBureau of Human Resources on position description revisions and vacancy announcements and\ndeveloping the proposed IRM/IA reorganization package. IRM/IA management must take the\nnecessary steps to remove contractors from performing such actions.\n\nRecommendation 25: The Bureau of Information Resource Management should review the\nwork being performed by contractors in the Office of Information Assurance and reassign the\ninherently governmental functions to a government direct-hire employee. (Action: IRM)\n\n                                        20\n                           SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\nVanguard 2.2.1 Contract Management\n\n        The IRM/IA-related scope of the Vanguard 2.2.1 contract has not been managed\nappropriately. Specifically, the CISO changed the scope of the C&A work twice throughout the\nprocess without consideration of the ramifications on the workload. Most importantly, there is a\nlack of communication among responsible parties. These combined factors have resulted in the\nDepartment having expired authorizations to operate 52 of its 309 systems. The Vanguard 2.2.1\ncontract is a 10-year vehicle with a total estimated value of $2.5 billion; the current IRM/IA\nportion of the contract is approximately $19 million through current option year 2 and projected\nto reach a total estimated value of $60 million if all options are exercised.\n\n        The C&A contract scope went through a major change after the contract award process.\nOriginally, when the Department released a request for procurement, the statement of work noted\nthat the Department did traditional C&A activities and was planning to move towards continuous\nmonitoring for its systems. The request stated that traditional C&A activities would cease when\nthe changeover was made to continuous monitoring, thus requiring minimal staff support.\nHowever, after the contract was awarded, the previous CISO departed and the Chief Information\nOfficer at that time decided to resume traditional C&A activities and to also include C&A work\nfor OpenNet and ClassNet. The renewed C&A activities increased the scope of the contract and\nresulted in an increase in work and expenses for the contract company, which was not fully\nprepared for the additional workload now required by the Department.\n\n       IRM management then eliminated continuous monitoring from the scope of the contract,\nwhich resulted in cost savings of about $13 million over the life of the contract. Because the\nDepartment could not do OpenNet and ClassNet assessments under continuous monitoring, it\nneeded to include a $1.8 million time and material project to perform the traditional C&A\nassessment. IRM spent the additional funds without monitoring the work of the contractor.\n\n        Lack of communication among responsible parties is a major issue. IRM/IA is\nexperiencing problems with the work performed by the C&A contractors. Specifically, the\ncontractors are unable to keep up with the workload, resulting in many systems having expired\nauthorizations to operate. The Vanguard COR was unaware of these issues since IRM/IA has not\nconveyed any details to the individual or the program office for the COR. In fact, weekly\nassessment reports from the IRM/IA government technical monitor contained no description of\nproblems with the workload and contractor performance. The Vanguard COR became aware of\nthe seriousness of the scope of the contract not being met only after the OIG team conveyed the\nissues. The CISO recently began pursuing an alternative means of performing the C&A work\nduring the OIG inspection\xe2\x80\x94a matter which, once again, the Vanguard COR has not been made\naware.\n\n       According to IRM/IA management, they are working with the Bureau of Administration\nto complete a Request for Information to gather data concerning the funding and staffing\nrequirements of completing C&A reviews for the Department\xe2\x80\x99s information systems. Once the\ninformation is received, a determination will be made by the CISO regarding future C&A work\nunder the Vanguard 2.2.1 contract.\n\n\n\n\n                                       21\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\nRecommendation 26: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Administration, should determine how future certification and accreditation work\nwill be performed under the Vanguard 2.2.1 contract. (Action: IRM, in coordination with A)\n\nInventory Management\n\n        An inventory check identified 57 computers, 6 printers, and 2 monitors as excess\ninventory for IRM/IA. According to 14 FAM 427.1, property that is no longer needed by an\noffice should not be allowed to accumulate in office spaces. Transferring the excess equipment\nwill streamline IRM/IA property records and reduce the potential threat of loss or mishandling.\n\nRecommendation 27: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Administration, should dispose of excess information technology equipment for\nthe Office of Information Assurance. (Action: IRM, in coordination with A)\n\nTraining\n\n        IRM/IA has not developed an officewide training curriculum for its employees nor does\neach staff member have an individual development plan. Training records from the Bureau of\nAdministration, which is the executive office of IRM/IA, show that management has not taken\nrequired management and leadership training. Many employees reported that they did not have\nindividual development plans. In accordance with 13 FAM 022.3 and 3 FAH-1 H-2821.3 a.(3),\ndirectors and managers should ensure that training needs are identified and outlined in an\nindividual development plan. Because the focus of IRM/IA is information security, staff and\nmanagement need to have the relevant knowledge and skills and remain abreast of new\ntechnology by receiving regular training.\n\nRecommendation 28: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Administration, should implement a training curriculum for the Office of\nInformation Assurance that outlines required and recommended training for all staff levels and\nfunctions. (Action: IRM, in coordination with A)\n\nRecommendation 29: The Bureau of Information Resource Management should require an\nindividual development plan for each Office of Information Assurance employee. (Action: IRM)\n\nEqual Employment Opportunity\n\n        IRM/IA would benefit from having an in-house counselor to assist with Equal\nEmployment Opportunity concerns. During the course of this inspection, IRM/IA was handling\none formal complaint as well as two employee relations cases. Currently, IRM/IA employees\nreport Equal Employment Opportunity matters directly to the Office of Civil Rights, which\nprovides guidance to employees. While having an internal counselor is not required by\nDepartment regulations, a counselor would provide an informed view of the compliance of\nIRM/IA with Equal Employment Opportunity principles and assist staff with facilitating their\nconcerns.\n\n\n\n\n                                       22\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\n           Informal Recommendation 3: The Bureau of Information Resource Management\n           should designate an Equal Employment Opportunity counselor to assist staff with\n           guidance and resolving issues.\n\nPerformance Plans and Employee Appraisals\n\n       Many employees have not received their 2012 employee performance appraisals or\nreceived their performance plans for 2013. According to documentation received from the\nBureau of Human Resources dashboard, 2012 employee performance appraisals and 2013\nemployee performance plans have been completed for the CISO and the IRM/IA division chiefs;\nhowever, each division chief has not completed their respective staff members\xe2\x80\x99 appraisals or\nperformance plans. Prompt attention by the CISO in directing his division chiefs to complete\nthese mandatory performance documents is necessary.\n\n        IRM/IA management indicated to the OIG team that 2013 performance plans will be\ncompleted by June 2013. IRM/IA management stated that an agreement between the union and\nthe Bureau of Human Resources, Labor Relations Office, determined that those individuals who\ndid not receive 2012 performance plans will not be given performance appraisals for that year.\n\nRecommendation 30: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Administration, should complete 2012 employee performance appraisals and 2013\nemployee performance plans for the Office of Information Assurance staff. (Action: IRM, in\ncoordination with A)\n\nOrientation for Incoming Personnel\n\n       IRM/IA does not have an orientation packet for incoming personnel. Personnel either\nbecame familiar with the organization and position by asking questions or having an unofficial\nmentor. A comprehensive orientation packet would provide the staff with a common\nunderstanding of the functions of the office and its role in the Department.\n\n           Informal Recommendation 4: The Bureau of Information Resource Management\n           should direct the Office of Information Assurance to develop an information packet\n           for incoming personnel.\n\nPhysical Security\n\nPrincipal Unit Security Officer\n\n       IRM/IA does not have a primary principal unit security officer as required by 12 FAM\n563.1. The former officer departed IRM/IA and the assigned alternate is performing the function\non a collateral basis along with his property officer responsibilities. Per FAM regulations, the\nhead of each major functional area must designate a principal unit security officer to assist in\ncarrying out the area\xe2\x80\x99s security responsibilities.\nRecommendation 31: The Bureau of Information Resource Management should appoint a\nprincipal unit security officer for the Office of Information Assurance. (Action: IRM)\n\n\n                                       23\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\nClosing Hours Security Check\n\n        IRM/IA does not have an acceptable process for performing security checks at closing\nhours. Security container checklists are not used daily as part of securing safes. Further, staff\ndoes not have shared responsibility to perform a walk around at closing hours to ensure the work\nspace is secure. In accordance with 12 FAM 534.2, supervisors should institute a system of\ndesignating employees to conduct closing hours security checks on a weekly basis. By doing so,\nIRM/IA can help ensure that classified material is properly stored and secured.\n\nRecommendation 32: The Bureau of Information Resource Management should direct the\nOffice of Information Assurance to implement a closing hours security check. (Action: IRM)\n\n\n\n\n                                       24\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                         SENSITIVE BUT UNCLASSIFIED\n\n\nList of Recommendations\nRecommendation 1: The Bureau of Human Resources should direct the Office of Resource\nManagement and Organizational Analysis to perform an organization assessment of the Bureau\nof Information Resource Management, Office of Information Assurance, including a workforce\nand workload balance analysis and a review of similar functions that are being performed by\nother offices in the Department of State. (Action: DGHR)\n\nRecommendation 2: The Bureau of Information Resource Management should develop a\nwritten mission statement for the Office of Information Assurance that includes short-term and\nlong-term priorities and goals for the office and each division. (Action: IRM)\n\nRecommendation 3: The Bureau of Information Resource Management should revise its\nDepartment of State Information Technology Strategic Plan to include the Office of Information\nAssurance activities. (Action: IRM)\n\nRecommendation 4: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Diplomatic Security, should direct the Office of Information Assurance to update\nVolume 5 of the Foreign Affairs Manual and Foreign Affairs Handbook. (Action: IRM, in\ncoordination with DS)\n\nRecommendation 5: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Diplomatic Security, should implement a clearance process for revisions and\nupdates to the Foreign Affairs Manual and Foreign Affairs Handbook that includes the review\nand approval of both bureaus. (Action: IRM, in coordination with DS)\n\nRecommendation 6: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Diplomatic Security, should establish Foreign Affairs Manual and Foreign Affairs\nHandbook policies on information technology security exceptions, including descriptions of\ntypes of exceptions and procedures for requesting waivers. (Action: IRM, in coordination with\nDS)\n\nRecommendation 7: The Bureau of Information Resource Management should require the\nOffice of Information Assurance to participate regularly in Departmentwide information\ntechnology working group meetings and share learned information from such meetings with its\nstaff. (Action: IRM)\n\nRecommendation 8: The Office of the Under Secretary for Management, in coordination with\nthe Bureaus of Diplomatic Security and Information Resource Management, should assign\nresponsibility of the information systems security officer program to a single bureau. (Action\nM/PRI, in coordination with DS and IRM)\n\nRecommendation 9: The Bureau of Information Resource Management should survey system\nowners on issues they are encountering with certification and accreditation tools and take\nnecessary corrective steps to improve the certification and accreditation tools, guidance,\ntemplates, and procedures. (Action: IRM)\n\n\n\n                                      25\n                         SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\nRecommendation 10: The Bureau of Information Resource Management should develop a\ncontrol process for changes to certification and accreditation templates and guidance that\nincludes advance notice to system owners of pending changes. (Action: IRM)\n\nRecommendation 11: The Bureau of Information Resource Management should identify the\ncommon security controls for its Department of State systems. (Action: IRM)\n\nRecommendation 12: The Bureau of Information Resource Management should document the\nnecessary review steps to be performed by each certification and accreditation assessor. (Action:\nIRM)\n\nRecommendation 13: The Bureau of Information Resource Management should develop an\naction plan to address all Department of State systems with expired authorizations to operate.\n(Action: IRM)\n\nRecommendation 14: The Bureau of Information Resource Management should assign an\nindividual to review and reconcile certification and accreditation reimbursements between the\nCorporate Budget Allocation Tracking System and the Bureau of Information Resource\nManagement\xe2\x80\x99s internal funding spreadsheet. (Action: IRM)\n\nRecommendation 15: The Bureau of Information Resource Management should provide\nsystem owners with close-out reports for verification of associated certification and accreditation\ncosts. (Action: IRM)\n\nRecommendation 16: The Bureau of Information Resource Management should develop\nproject management documentation for iPost. (Action: IRM)\n\nRecommendation 17: The Bureau of Information Resource Management should assign a\ncontent manager and define a content management process for managing the content on its\nOffice of Information Assurance Web site and shared network. (Action: IRM)\n\nRecommendation 18: The Bureau of Information Resource Management should include\ninformation security activities performed by the Office of Information Assurance in its budget\nsubmission to the Department of State. (Action: IRM)\n\nRecommendation 19: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Administration, should assign the responsibilities of the contracting officer\xe2\x80\x99s\nrepresentative and government technical monitor for the Office of Information Assurance\ncontracts to individuals with involvement in the work performed by the contractors. (Action:\nIRM, in coordination with A)\n\nRecommendation 20: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Administration, should require the assigned contracting officer\xe2\x80\x99s representative\nand government technical monitor to maintain complete contract files. (Action: IRM, in\ncoordination with A)\n\nRecommendation 21: The Bureau of Information Resource Management should implement an\ninternal tracking mechanism for the management of Office of Information Assurance contracts.\n(Action: IRM)\n\n                                       26\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                         SENSITIVE BUT UNCLASSIFIED\n\nRecommendation 22: The Bureau of Information Resource Management should establish a\ncentral repository for Office of Information Assurance contract documentation. (Action: IRM)\n\nRecommendation 23: The Bureau of Information Resource Management should require the\nOffice of Information Assurance to implement procedures for granting system access to its\npersonnel. (Action: IRM)\n\nRecommendation 24: The Bureau of Information Resource Management should require the\nOffice of Information Assurance to review the system access rights of its contract staff for\nviewing folders on the shared network and restrict permissions as appropriate. (Action: IRM)\n\nRecommendation 25: The Bureau of Information Resource Management should review the\nwork being performed by contractors in the Office of Information Assurance and reassign the\ninherently governmental functions to a government direct-hire employee. (Action: IRM)\n\nRecommendation 26: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Administration, should determine how future certification and accreditation work\nwill be performed under the Vanguard 2.2.1 contract. (Action: IRM, in coordination with A)\n\nRecommendation 27: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Administration, should dispose of excess information technology equipment for\nthe Office of Information Assurance. (Action: IRM, in coordination with A)\n\nRecommendation 28: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Administration, should implement a training curriculum for the Office of\nInformation Assurance that outlines required and recommended training for all staff levels and\nfunctions. (Action: IRM, in coordination with A)\n\nRecommendation 29: The Bureau of Information Resource Management should require an\nindividual development plan for each Office of Information Assurance employee. (Action: IRM)\n\nRecommendation 30: The Bureau of Information Resource Management, in coordination with\nthe Bureau of Administration, should complete 2012 employee performance appraisals and 2013\nemployee performance plans for the Office of Information Assurance staff. (Action: IRM, in\ncoordination with A)\n\nRecommendation 31: The Bureau of Information Resource Management should appoint a\nprincipal unit security officer for the Office of Information Assurance. (Action: IRM)\n\nRecommendation 32: The Bureau of Information Resource Management should direct the\nOffice of Information Assurance to implement a closing hours security check. (Action: IRM)\n\n\n\n\n                                      27\n                         SENSITIVE BUT UNCLASSIFIED\n\x0c                         SENSITIVE BUT UNCLASSIFIED\n\n\nList of Informal Recommendations\n        Informal recommendations cover operational matters not requiring action by\norganizations outside the inspected unit and/or the parent regional bureau. Informal\nrecommendations will not be subject to the OIG compliance process. However, any subsequent\nOIG inspection or on-site compliance review will assess the mission\xe2\x80\x99s progress in implementing\nthe informal recommendations.\n\nInformal Recommendation 1: The Bureau of Information Resource Management should\nrequire the Office of Information Assurance to develop an office strategic plan that aligns with\nits mission and goals and with the Department of State\xe2\x80\x99s Information Technology Strategic Plan.\n\nInformal Recommendation 2: The Bureau of Information Resource Management should verify\nthe individuals assigned and the hours worked on the time and materials procurement vehicle.\n\nInformal Recommendation 3: The Bureau of Information Resource Management should\ndesignate an Equal Employment Opportunity counselor to assist staff with guidance and\nresolving issues.\n\nInformal Recommendation 4: The Bureau of Information Resource Management should direct\nthe Office of Information Assurance to develop an information packet for incoming personnel.\n\n\n\n\n                                      28\n                         SENSITIVE BUT UNCLASSIFIED\n\x0c                         SENSITIVE BUT UNCLASSIFIED\n\n\nPrincipal Officials\n                                                            Name    Arrival Date\nCISO/Director                                         William Lay          09/12\nDeputy Director                                     Gary Galloway          11/12\nSystem Authorization Division             Charles \xe2\x80\x95Randy\xe2\x80\x96 Johnson          01/13\nGlobal Oversight Division                           Mark Mitchell          08/10\nPolicy, Liaison, and Reporting Division               Ron Austin*          04/12\n\n*Departed 02/13.\n\n\n\n\n                                      29\n                         SENSITIVE BUT UNCLASSIFIED\n\x0c                SENSITIVE BUT UNCLASSIFIED\n\n\nAbbreviations\nC&A               Certification and accreditation\n\nCBATS             Corporate Budget Allocation Tracking System\n\nCISO              Chief information security officer\n\nCOR               Contracting officer\xe2\x80\x99s representative\n\nDepartment        U.S. Department of State\n\nDS                Bureau of Diplomatic Security\n\nFAH               Foreign Affairs Handbook\n\nFAM               Foreign Affairs Manual\n\nFISMA             Federal Information Security Management Act of 2002\n\nIRM/IA            Bureau of Information Resource Management, Office of\n                  Information Assurance\n\nISSO              Information systems security officer\n\nIT                Information technology\n\nOIG               Office of Inspector General\n\nQDDR              Quadrennial Diplomacy and Development Review\n\n\n\n\n                             30\n                SENSITIVE BUT UNCLASSIFIED\n\x0cSENSITIVE BUT UNCLASSIFIED\n\n\n\n\n FRAUD, WASTE, ABUSE,\n OR MISMANAGEMENT\nOF FEDERAL PROGRAMS\n   HURTS EVERYONE.\n\n         CONTACT THE\n OFFICE OF INSPECTOR GENERAL\n            HOTLINE\n      TO REPORT ILLEGAL\n   OR WASTEFUL ACTIVITIES:\n\n\n         202-647-3320\n         800-409-9926\n      oighotline@state.gov\n          oig.state.gov\n\n   Office of Inspector General\n    U.S. Department of State\n         P.O. Box 9778\n     Arlington, VA 22219\n\n\n\n\nSENSITIVE BUT UNCLASSIFIED\n\x0c"